Misconfigurations and API Vulnerabilities
Organizations are rapidly embracing cloud applications that naturally require the transfer of sensitive data to the cloud. However, a huge number of organizations have failed to demonstrate the same enthusiasm for cloud security. This is perhaps the reason why the number of incidents involving cloud vulnerabilities seems to be soaring each year. Companies often make the mistake of relying exclusively on cloud service providers for managing cloud security. While providers are responsible for securing the cloud itself, configuring the cloud infrastructure correctly is in the company’s hands. In fact, securing the cloud environments is a shared responsibility that must be catered to by the providers as well as the companies.
According to the Cybersecurity Insiders’ “2019 Cloud Security Report”, 42% of the responding cybersecurity professionals identified insecure interfaces and APIs as the top vulnerability to cloud security, followed closely by cloud misconfigurations which was mentioned by 40% of respondents. The problem is that the configuration of cloud infrastructure is usually left in the hands of the development teams that are often under-skilled and do not have the proper controls for ensuring security and compliance.
There are so many cloud resources and APIs to manage in complex hybrid and multi-cloud environments that misconfigurations seem inevitable. On the other hand, while developing APIs development teams adopt a functionality-centric approach instead of being security-centric. But it is worthwhile to know that no matter how secure the cloud services are, they’ll only ever be as secure as the APIs used to access them.
Large Organizations and Experts fall prey to cloud misconfigurations
One of the major data breaches was the Capital One hack. Capital One’s data was breached by a software engineer working for Amazon Web Services(AWS) the cloud hosting company that Capital One was using. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing. The breach affected around 100 million people in the United States and about 6 million people in Canada, according to Capital One. The company expects to incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support due to the hack.
In another recent occurrence, the data management company, Attunity, had three of its AWS S3 servers publicly accessible due to a misconfiguration on the company’s part. Company’s email correspondence, employee database as well as customers’ data, including that of Fortune 100 companies like Netflix, was exposed. There are plenty of other incidents that highlight the prevalence of cloud misconfigurations and their far-fetched consequences.
Recently, a misconfigured AWS S3 server that leaked sensitive photos as well as personal data of a couple of thousand members landed Jack’d, a dating app, in trouble along with its parent company- Online Buddies. The app was slammed with a $240,000 settlement, all because of cloud misconfiguration.
Such preventable incidents call organizations to take additional measures to secure their cloud deployments. The convenience of leaving cloud security entirely up to the vendors is definitely not worth the consequences it entails.
So What Now?
The only way to deal with cloud security challenges is by getting actively involved in forming the company’s cloud security strategy or HMC Strategy. CIOs and CTOs must ensure that their companies have the required skill set to properly deploy cloud solutions and the resources to identify cloud API vulnerabilities before they can cause a security incident. Hiring a qualified partner such as LKMethod whom can help with a Cloud Strategy. Lyndall Kirkes discusses how it is super important it is to be “Strategy First” in this “Cloud First” World. Lyndall highlights that it’s just not all about implementing Security but it’s about the Accessibility, Monitoring, and Managing of your Apps in the cloud is what’s critical.
Mis-configurations are Inevitable
Here is why, just because you do everything right upfront doesn’t mean you won’t have developers changing and spinning code with new apps and deployments. So it is important to carry out regular audits to detect any misconfigurations as soon as possible. Automation can take a lot of burden off of the security team’s shoulders.
Automating Processes, automating all repetitive processes of the cloud configurations and the security strategy can go a long way in avoiding frequent mishaps. The development teams must work closely with the security experts to ensure that their focus on functionality and speed does not come at the cost of data security and privacy. Lastly, only relevant users should have access to a company’s resources. Access should only be allowed where required which can be controlled by admins.